Skip to content

Support rotation of System WellKnownCACertificates in BTLSP #5074

New issue
Jump to bottom
New issue
Jump to bottom
Open
#5084
Open
Support rotation of System WellKnownCACertificates in BTLSP#5074
#5084
Labels
area/apiAPI-related issueshelp wantedExtra attention is neededkind/bugSomething isn't working
Milestone
 
Backlog
@guydc

Description

@guydc
guydc
opened on Jan 15, 2025

Description:
Currently, BTLSP System WellKnownCACertificates are not reloaded by envoy on change.

https://github.com/envoyproxy/gateway/blob/main/internal/xds/translator/translator.go#L985

According to envoy docs:

If trusted_ca is a filesystem path, a watch will be added to the parent directory for any file moves to support rotation. This currently only applies to dynamic secrets, when the CertificateValidationContext is delivered via SDS.

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#envoy-v3-api-msg-extensions-transport-sockets-tls-v3-certificatevalidationcontext

Envoy Gateway can deliver the file source validation context using SDS, ensuring that changes in the CA certificate are picked-up by Envoy.

[optional Relevant Links:]

Any extra documentation required to understand the issue.

Metadata

Assignees

No one assigned

    Labels

    area/apiAPI-related issueshelp wantedExtra attention is neededkind/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions